[sldev] RFC: design proposal for VWR-1071

[Cypren Christenson]

I finally got some time to sit down and code yesterday. While I do  
appreciate several people pointing me to the existing VWR-6891 patch  
as a starting point, I decided to start from scratch; I mean no  
disparagement whatsoever to the original contributor, but I felt that  
what we've discussed here changes the requirements sufficiently that  
it was easier to work from a clean slate.

Currently my code looks like this: http://cypren.net/images/sg_login_prototype1.png

Per Ambrosia's earlier suggestion, I've moved the stored information  
out of the settings file and into its own file, login_history.xml, for  
better compatibility with viewers that do not implement the patch.  
Passwords are saved there using the same MAC-based encryption method  
used in password.dat, but base64 encoded as part of a serialized LLSD  
rather than in raw binary form.

I currently have a fair bit of housekeeping to do (disabling and  
clearing the "remember password" box when "remember name" is  
unchecked, adding the new controls to other languages/skins, putting  
doxygen comments on all the classes and methods, etc) before releasing  
the patch for review, but most of the core work is done at this point  
and the design seems to be solid. Barring unforeseen problems or any  
more design change requests, I would guess it will be posted to JIRA  
in a day or two.

Since the original bug was logged against VWR, but the earlier  
consensus seemed to be that the UI should be tested in Snowglobe  
first, should I create a new bug in JIRA against SNOW rather than  
uploading a VWR patch?

On Jul 20, 2009, at 3:31 AM, Carlo Wood wrote:

> Cypren, ping (see below)?
> And how is it going over all?
>
> On Wed, Jul 15, 2009 at 12:19:50PM +0200, Carlo Wood wrote:
>> On Tue, Jul 14, 2009 at 06:43:43PM -0700, Cypren Christenson wrote:
>>> Melinda:
>>> * Clearing the list: I was thinking about adding a new button to the
>>> Preferences panel, probably under Network (since there's already a
>>> "clear cache" button there) that says "clear login history".
>>> ("Clearly" this will require i18n translation; maybe this is a good
>>> time to ask how that's usually handled for the project?)
>>
>> I am sure many people will uncheck the box saying "remember password"
>> in the assumption that it will keep the First/Last name and just
>> remove the password. Therefore it should do just that.
>>
>>> Thanks again for everyone's comments and criticism. Keep it coming!
>>
>> I'm using the same name on multiple grids...
>>
>> It is a security problem for me that the viewer only remembers a
>> single password and uses it regardless of the grid.
>>
>> In order to use this feature (remembering passwords) savely, the
>> viewer should first be grid-aware.
>>
>> Maybe also add the login-uri in the password database file?
>>
>> Ie,
>>
>> Carlo|Wood|http://login.example.com:8000|passwd1
>> Carlo|Wood|http://login.foobar.com:8002|passwd2
>>
>> And then only use a password if the already chosen login uri matches.
>>
>> Actually, using LSL serialization, I'd go for storing this
>> as a map with the uri as key. Not sure about the exact LSL
>> but something like the following would result:
>>
>> <map>
>> <key>http://login.example.com:8000</key>
>>  <map>
>>  <key>FirstName</key>
>>    <string>Carlo</string>
>>  <key>LastName</key>
>>    <string>Wood</string>
>>  <key>PasswdHash</key>
>>    <string>passwd1</string>
>>  </map>
>> <key>http://login.foobar.com:8002</key>
>>  <map>
>>  <key>FirstName</key>
>>    <string>Carlo</string>
>>  <key>LastName</key>
>>    <string>Wood</string>
>>  <key>PasswdHash</key>
>>    <string>passwd2</string>
>>  </map>
>> </map>
>
> -- 
> Carlo Wood <carlo at alinoe.com>